idmap_ad
IDMAP_AD(8) IDMAP_AD(8)
NAME
idmap_ad - Samba’s idmap_ad Backend for Winbind
DESCRIPTION
The idmap_ad plugin provides a way for Winbind to read id mappings
from an AD server that uses RFC2307/SFU schema extensions. This module
implements only the "idmap" API, and is READONLY. Mappings must be
provided in advance by the administrator by adding the posixAc-
count/posixGroup classess and relative attribute/value pairs to the
users and groups objects in AD
IDMAP OPTIONS
range = low - high
Defines the available matching uid and gid range for which the
backend is authoritative. Note that the range acts as a filter. If
specified any UID or GID stored in AD that fall outside the range
is ignored and the corresponding map is discarded. It is intended
as a way to avoid accidental UID/GID overlaps between local and
remotely defined IDs.
schema_mode = <rfc2307 | sfu >
Defines the schema that idmap_ad should use when querying Active
Directory regarding user and group information. This can either the
RFC2307 schema support included in Windows 2003 R2 or the Service
for Unix (SFU) schema.
EXAMPLES
The following example shows how to retrieve idmappings from our prin-
cipal and and trusted AD domains. All is needed is to set default to
yes. If trusted domains are present id conflicts must be resolved
beforehand, there is no guarantee on the order confliting mappings
would be resolved at this point. This example also shows how to leave
a small non conflicting range for local id allocation that may be used
in internal backends like BULTIN.
[global]
idmap domains = ALLDOMAINS
idmap config ALLDOMAINS:backend = ad
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:range = 10000 - 300000000
idmap alloc backend = tdb
idmap alloc config:range = 5000 - 9999
AUTHOR
The original Samba software and related utilities were created by
Andrew Tridgell. Samba is now developed by the Samba Team as an Open
Source project similar to the way the Linux kernel is developed.
IDMAP_AD(8)
